Report Exposes Severe Gap in Security Visibility and Perceptions

A new study published by the Ponemon Institute reveals a disconnect in security visibility and perception between C-level executives and IT security staff that is driven by the lack of “organizational inability and lack of real-time intelligence” required to adapt and adjust to change.

The study, titled Security Metrics to Manage Change: Which Matter, Which Can Be Measured?, found that while the majority of the respondents indicate that responsibility for managing their organization’s security posture is owned by the C-Level executives, only “60 percent of IT security staff informing executives of specific risks only when the risk is deemed ‘serious,’ or not at all – and in more than half of the cases, actively omitting negative facts.”

“What is most concerning is that it would seem security in many organizations is based on perception and ‘gut feel,’ versus hard data,” said Dr. Larry Ponemon. “The stakeholders with the highest responsibility seem to be the least informed – a view that is amplified externally. We also found that executive perception of security ‘strength’ had a virtually identical percentage (63 percent) in external partners, and we know that third-party failings also had a hand in the Target breach.”

The study queried 597 professionals in IT, IT security, compliance, risk management and other security related management roles at Fortune 500 class organizations who have at least 1,000 employees. Other key findings include:

74% see security metrics as important

69% see an issue of metrics conflicting with business goals

62% feel that current metrics don’t provide enough information

Over 40% see Cloud and mobility/BYOD as the technologies with the greatest impact on security

46% say that current metrics can’t quantify the full security impact of Cloud models

IT security staff to rate their agility (57%) and effectiveness (56%) to accommodate change as “low”

“The biggest issue is that IT security teams are flying blind. Networks are becoming more complex and expansive, while we freeze or reduce the resources tasked with managing them. The fact that the study shows 60 percent performing manual auditing or none at all is alarming,” said Jody Brazil, whose company commissioned the Ponemon study.

“In a threat environment that is ‘always on’ and aggressive, teams must have the ability to automate and continuously monitor and assess dynamic network environments, and be equipped with proactive tools to provide predictive and prioritized intelligence on an ever-shifting risk profile.”